Bug: Remove duplicate headers in Reponse

[theskumar]

Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Fri, 11 Aug 2017 11:31:19 GMT
REQUEST_ID: e3a346aae36b41549f6613117a2bde18
Server: nginx
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
strict-transport-security: max-age=600000; includeSubDomains
x-content-type-options: nosniff
x-xss-protection: 1; mode=block

Currently it returns, see duplicates for:

X-Frame-Options
x-xss-protection

[vikalpj]

the duplicate header are because both Django & Nginx both are adding these headers
Django -

django-init/{{cookiecutter.github_repository}}/settings/common.py

Line 314 in 3d6e4a5

SECURE_CONTENT_TYPE_NOSNIFF = True

Nginx -

django-init/{{cookiecutter.github_repository}}/provisioner/roles/nginx/templates/nginx.conf.j2

Line 41 in 3d6e4a5

add_header X-Frame-Options SAMEORIGIN;

Django headers are needed only when we are deploying to service like Heroku.

Suggestions - there can be a variable in cookie-cutter config to ask if heroku scripts are needed and based on that we can alter the variable.
or
We can have these variables to be picked from .env and In .env.sample we can define in comments when this need to be set to True of False.

[theskumar]

To start off, Django settings should be disabled if using Ansible (+ controllable with .env, would be nice to have), later can we can have an explicit choice b/w Heroku and AWS.

Subsequently, we would be dropping support of Heroku.